OLD | NEW |
---|---|
(Empty) | |
1 // Copyright 2014 The Chromium Authors. All rights reserved. | |
2 // Use of this source code is governed by a BSD-style license that can be | |
3 // found in the LICENSE file. | |
4 | |
5 #include "net/cert/cert_policy_enforcer.h" | |
6 | |
7 #include <string> | |
8 | |
9 #include "base/memory/scoped_ptr.h" | |
10 #include "net/base/test_data_directory.h" | |
11 #include "net/cert/ct_ev_whitelist.h" | |
12 #include "net/cert/ct_verify_result.h" | |
13 #include "net/cert/x509_certificate.h" | |
14 #include "net/test/cert_test_util.h" | |
15 #include "net/test/ct_test_util.h" | |
16 #include "testing/gmock/include/gmock/gmock.h" | |
17 #include "testing/gtest/include/gtest/gtest.h" | |
18 | |
19 namespace net { | |
20 | |
21 namespace { | |
22 | |
23 class MockEVCertsWhitelist : public ct::EVCertsWhitelist { | |
24 public: | |
25 MockEVCertsWhitelist(bool is_valid_return, bool contains_hash_return) { | |
26 EXPECT_CALL(*this, IsValid()).WillOnce(testing::Return(is_valid_return)); | |
27 if (is_valid_return) | |
28 EXPECT_CALL(*this, ContainsCertificateHash(testing::_)) | |
29 .WillOnce(testing::Return(contains_hash_return)); | |
Ryan Sleevi
2014/12/01 15:27:55
Right, I wanted to entirely avoid EXPECT_CALL, it'
| |
30 } | |
31 | |
32 MOCK_CONST_METHOD0(IsValid, bool()); | |
33 MOCK_CONST_METHOD1(ContainsCertificateHash, bool(const std::string&)); | |
34 | |
35 protected: | |
36 ~MockEVCertsWhitelist() override {} | |
37 }; | |
38 | |
39 class CertPolicyEnforcerTest : public ::testing::Test { | |
40 public: | |
41 virtual void SetUp() override { | |
42 policy_enforcer_.reset(new CertPolicyEnforcer(5, true)); | |
43 | |
44 std::string der_test_cert(ct::GetDerEncodedX509Cert()); | |
45 chain_ = X509Certificate::CreateFromBytes(der_test_cert.data(), | |
46 der_test_cert.size()); | |
47 ASSERT_TRUE(chain_.get()); | |
48 } | |
49 | |
50 void FillResultWithSCTsOfOrigin( | |
51 ct::SignedCertificateTimestamp::Origin desired_origin, | |
52 int num_scts, | |
53 ct::CTVerifyResult* result) { | |
54 for (int i = 0; i < num_scts; ++i) { | |
55 scoped_refptr<ct::SignedCertificateTimestamp> sct( | |
56 new ct::SignedCertificateTimestamp()); | |
57 sct->origin = desired_origin; | |
58 result->verified_scts.push_back(sct); | |
59 } | |
60 } | |
61 | |
62 protected: | |
63 scoped_ptr<CertPolicyEnforcer> policy_enforcer_; | |
64 scoped_refptr<X509Certificate> chain_; | |
65 }; | |
66 | |
67 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithNonEmbeddedSCTs) { | |
68 ct::CTVerifyResult result; | |
69 FillResultWithSCTsOfOrigin( | |
70 ct::SignedCertificateTimestamp::SCT_FROM_TLS_EXTENSION, 2, &result); | |
71 | |
72 EXPECT_TRUE( | |
73 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
74 } | |
75 | |
76 TEST_F(CertPolicyEnforcerTest, ConformsToCTEVPolicyWithEmbeddedSCTs) { | |
77 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
78 ct::CTVerifyResult result; | |
79 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
80 &result); | |
81 | |
82 EXPECT_TRUE( | |
83 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
84 } | |
85 | |
86 TEST_F(CertPolicyEnforcerTest, DoesNotConformToCTEVPolicyNotEnoughSCTs) { | |
87 scoped_refptr<ct::EVCertsWhitelist> non_including_whitelist = | |
88 new MockEVCertsWhitelist(true, false); | |
89 // This chain_ is valid for 10 years - over 121 months - so requires 5 SCTs. | |
90 // However, as there are only two logs, two SCTs will be required - supply one | |
91 // to guarantee the test fails. | |
92 ct::CTVerifyResult result; | |
93 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
94 &result); | |
95 | |
96 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
97 chain_.get(), non_including_whitelist.get(), result)); | |
Ryan Sleevi
2014/12/01 15:27:55
did clang-format (aka "git cl format") do this? If
Eran Messeri
2014/12/01 17:29:54
I can only assume it did (I ran git-cl format).
| |
98 | |
99 // ... but should be OK if whitelisted. | |
100 scoped_refptr<ct::EVCertsWhitelist> whitelist = | |
101 new MockEVCertsWhitelist(true, true); | |
Ryan Sleevi
2014/12/01 15:27:55
Note dominant style in this file is to use ctor in
Eran Messeri
2014/12/01 17:29:54
Done.
| |
102 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
103 chain_.get(), whitelist.get(), result)); | |
104 } | |
105 | |
106 TEST_F(CertPolicyEnforcerTest, DoesNotEnforceCTPolicyIfNotRequired) { | |
107 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(3, false)); | |
108 | |
109 ct::CTVerifyResult result; | |
110 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
111 &result); | |
112 // Expect true despite the chain not having enough SCTs as the policy | |
113 // is not enforced. | |
114 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
115 } | |
116 | |
117 TEST_F(CertPolicyEnforcerTest, DoesNotConformToPolicyInvalidDates) { | |
118 scoped_refptr<X509Certificate> no_valid_dates_cert(new X509Certificate( | |
119 "subject", "issuer", base::Time(), base::Time::Now())); | |
120 ct::CTVerifyResult result; | |
121 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 5, | |
122 &result); | |
123 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
124 no_valid_dates_cert.get(), nullptr, result)); | |
125 // ... but should be OK if whitelisted. | |
126 scoped_refptr<ct::EVCertsWhitelist> whitelist = | |
127 new MockEVCertsWhitelist(true, true); | |
128 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
129 chain_.get(), whitelist.get(), result)); | |
130 } | |
131 | |
132 TEST_F(CertPolicyEnforcerTest, | |
133 ConformsToPolicyExactNumberOfSCTsForValidityPeriod) { | |
134 // Test multiple validity periods: Over 27 months, Over 15 months (but less | |
135 // than 27 months), | |
136 // Less than 15 months. | |
137 const size_t validity_period[] = {12, 19, 30, 50}; | |
138 const size_t needed_scts[] = {2, 3, 4, 5}; | |
139 | |
140 for (int i = 0; i < 3; ++i) { | |
141 size_t curr_validity = validity_period[i]; | |
142 scoped_refptr<X509Certificate> cert(new X509Certificate( | |
143 "subject", "issuer", base::Time::Now(), | |
144 base::Time::Now() + base::TimeDelta::FromDays(31 * curr_validity))); | |
145 size_t curr_required_scts = needed_scts[i]; | |
146 ct::CTVerifyResult result; | |
147 for (size_t j = 0; j < curr_required_scts - 1; ++j) { | |
148 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, | |
149 1, &result); | |
150 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), | |
151 nullptr, result)) | |
152 << " for: " << curr_validity << " and " << curr_required_scts | |
153 << " scts=" << result.verified_scts.size() << " j=" << j; | |
154 } | |
155 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
156 &result); | |
157 EXPECT_TRUE( | |
158 policy_enforcer_->DoesConformToCTEVPolicy(cert.get(), nullptr, result)); | |
159 } | |
160 } | |
161 | |
162 TEST_F(CertPolicyEnforcerTest, | |
163 ConformsToPolicyButDoesNotRequireMoreThanNumLogs) { | |
164 scoped_ptr<CertPolicyEnforcer> enforcer(new CertPolicyEnforcer(2, true)); | |
165 | |
166 ct::CTVerifyResult result; | |
167 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 2, | |
168 &result); | |
169 // Expect true despite the chain not having enough SCTs according to the | |
170 // policy | |
171 // since we only have 2 logs. | |
172 EXPECT_TRUE(enforcer->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
173 } | |
174 | |
175 TEST_F(CertPolicyEnforcerTest, ConformsToPolicyByEVWhitelistPresence) { | |
176 scoped_refptr<ct::EVCertsWhitelist> whitelist = | |
177 new MockEVCertsWhitelist(true, true); | |
178 | |
179 ct::CTVerifyResult result; | |
180 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
181 &result); | |
182 EXPECT_TRUE(policy_enforcer_->DoesConformToCTEVPolicy( | |
183 chain_.get(), whitelist.get(), result)); | |
184 } | |
185 | |
186 TEST_F(CertPolicyEnforcerTest, IgnoresInvalidEVWhitelist) { | |
187 scoped_refptr<ct::EVCertsWhitelist> whitelist = | |
188 new MockEVCertsWhitelist(false, true); | |
189 | |
190 ct::CTVerifyResult result; | |
191 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
192 &result); | |
193 EXPECT_FALSE(policy_enforcer_->DoesConformToCTEVPolicy( | |
194 chain_.get(), whitelist.get(), result)); | |
195 } | |
196 | |
197 TEST_F(CertPolicyEnforcerTest, IgnoresNullEVWhitelist) { | |
198 ct::CTVerifyResult result; | |
199 FillResultWithSCTsOfOrigin(ct::SignedCertificateTimestamp::SCT_EMBEDDED, 1, | |
200 &result); | |
201 EXPECT_FALSE( | |
202 policy_enforcer_->DoesConformToCTEVPolicy(chain_.get(), nullptr, result)); | |
203 } | |
204 | |
205 } // namespace | |
206 | |
207 } // namespace net | |
OLD | NEW |